Authentication & Identity

How agents authenticate with Sekuire and establish trust.

Overview

Sekuire uses layered authentication:

Agent Identity - Cryptographic identity (Sekuire ID)
Install Tokens - Bootstrap credentials for deployments (TS Beacon/Worker)
Trust Headers - Registry-issued headers for A2A requests (TypeScript client)

┌─────────────┐   Install Token   ┌─────────────────┐
│   Agent     │ ────────────────▶ │  Sekuire API   │
│             │                    │                 │
│  Sekuire ID │◀────────────────── │  Runtime Token  │
│  + Keypair  │     Bootstrap      │                 │
└─────────────┘                    └─────────────────┘

Sekuire ID

Every agent has a content-addressable identity computed from its code:

Sekuire ID = BLAKE3(
  canonicalize(model_name) ||
  BLAKE3(system_prompt) ||
  BLAKE3(tools_schema)
)

The Sekuire ID changes when:

System prompt changes
Tools are added/removed
Model is changed

Generating Keys

Generate an Ed25519 keypair for your agent:

sekuire keygen

This creates:

.sekuire/public.key - Share this, include in registry
.sekuire/secret.key - Keep private, never commit

Calculating Sekuire ID

sekuire hash

Install Tokens

Install tokens authenticate agent deployments with Sekuire (used by TypeScript Beacon and TaskWorker).

Generating Tokens

From CLI:

sekuire install token \
  --workspace ws_abc123 \
  --agent 7f8a9b3c2d1e...

From Dashboard:

Go to Workspace > Agents
Click "Install Agent"
Copy the generated token

Token Format

Install tokens are opaque strings (prefix skt_). Treat them as secrets.

Recovery Credentials

Recovery credentials allow agents to restart without consuming a new install token. After initial bootstrap, persist:

SEKUIRE_INSTALLATION_ID
SEKUIRE_REFRESH_TOKEN
SEKUIRE_RUNTIME_TOKEN (optional, may be expired)

On startup, the SDK will use recovery credentials first and refresh the runtime token if needed.

SDK Authentication

TypeScript
Python

import { SekuireSDK } from '@sekuire/sdk';

// Option 1: From environment variables (recommended)
const sdk = SekuireSDK.fromEnv();

// Option 2: Explicit configuration (install token)
const sdk = new SekuireSDK({
  agentId: '7f8a9b3c2d1e...',
  installToken: 'skt_...',
  apiUrl: 'https://api.sekuire.ai',
});

// Option 3: Explicit configuration (recovery credentials)
const sdk = new SekuireSDK({
  agentId: '7f8a9b3c2d1e...',
  installationId: 'inst_...',
  refreshToken: 'srf_...',
  runtimeToken: 'srt_...', // optional
  apiUrl: 'https://api.sekuire.ai',
});

await sdk.start();
console.log('Connected:', sdk.isConnected());

from sekuire_sdk import SekuireSDK

# From environment variables
sdk = SekuireSDK.from_env()

# Or explicit config (private_key enables heartbeat)
sdk = SekuireSDK(
    agent_id='7f8a9b3c2d1e...',
    private_key='ed25519-private-key-hex',
    api_url='https://api.sekuire.ai',
)

await sdk.start()

Trust Headers (TypeScript)

For agent-to-agent (A2A) communication, trust headers can be generated via the registry API.

import { SekuireRegistryClient } from '@sekuire/sdk';

const client = new SekuireRegistryClient({
  apiUrl: 'https://api.sekuire.ai',
  apiKey: process.env.SEKUIRE_API_KEY,
});

const headers = await client.generateTrustHeaders({
  agentId: '7f8a9b3c2d1e...',
  action: 'a2a:request',
  context: { capability: 'summarize' },
});

Returned headers include:

X-Sekuire-Agent-ID
X-Sekuire-Reputation
X-Sekuire-Verification
X-Sekuire-Badges
X-Sekuire-Timestamp
X-Sekuire-Signature

Overview​

Sekuire ID​

Generating Keys​

Calculating Sekuire ID​

Install Tokens​

Generating Tokens​

Token Format​

Recovery Credentials​

SDK Authentication​

Trust Headers (TypeScript)​